Sunday, May 2, 2010

Crowdsourcing CAPTCHA cracking

The NYT has reported on the practice of outsourcing the breaking of captchas to people in Bangladesh, India and China. The work is neither glamorous nor well-paid at 80 cents to $1.20 per 1,000 solved captchas, however there seem to be enough takers nonetheless. The work is farmed out through online exchanges like Freelancer.com, where for example an operator in Bangladesh runs an operation turning out captcha solutions 24 hours a day, seven days a week.

Macduff Hughes, an engineering director at Google says that “Our goal is to make mass account creation less attractive to spammers, and the fact that spammers have to pay people to solve captchas proves that the tool is working.” So we should see captchas as a deterrent rather than a foolproof way of distinguishing people from malware. In fact if people are being employed to break these little authentication puzzles then they are working as intended – to make sure that a person is behind the answer – unfortunately malware is masking a mechanical turk. The inventors of captchas probably did not expect that solving these puzzles could be farmed out so easily using Web 2.0 technology.

The bigger threat probably comes from the direct computer solution to captchas, which can be scaled and provide solutions in real time. I recently posted on the very thorough analysis of the Koobface botnet at abuse.ch, including a section on its captcha breaking network. The captchas are broken in at most 3 minutes, and in many cases just a few seconds. There is also evidence presented by Webroot that audio captchas are also being broken in real time by automated means.

Reblog this post [with Zemanta]

3 comments:

虹玟 said...

精彩的文章是我停留的理由~........................................

outsourcing web development said...

Simply amazing works. This is fit with my topic. It helps a lot because the information are so great and it is really so related what I been supporting write now. Thanks
outsourcing web development | offshore web development

boy labyog said...

I have seen captcha cracking software.







Laby[cheap tuxedos]